Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows 2012 Applications and Services Logs no getting forwarded

amal4885
Explorer
‎12-10-2014 05:34 PM

Hi,

I have added the following lines to the inputs.conf on the universal forwarder. But those events are not getting forwarded to Splunk. Any idea as to what I've done wrong here?

[WinEventLog://Microsoft-Exchange-HighAvailability/Operational]
disabled = 0

[WinEventLog://Microsoft-Exchange-ManagedAvailability/Monitoring]
disabled = 0

[WinEventLog://MSExchange Management]
disabled = 0

[WinEventLog://Microsoft-Exchange-MailboxDatabaseFailureItems/Operational]
disabled = 0

Regards,
Amal

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎12-12-2014 10:32 AM

All of the channels seem to be reasonable, so there is no reason why they shouldn't be read unless there is a permissions issue. Check the log files on the forwarder in %SPLUNK_HOME%\var\log\splunk - most notably splunkd.log (you can do this from the splunk instance by searching index=_internal source=*splunkd.log host=) for any errors in the WinEventLog modular input.

0 Karma
Reply

Raghav2384
Motivator
‎12-10-2014 06:18 PM

Could you please post your Outputs.conf as well? Does it have the right path and port to the receivers?

0 Karma
Reply

amal4885
Explorer
‎12-10-2014 06:40 PM

I have 3 conf files sets. Following are the outputs.conf files.
FYI data is getting to the server. As if in Application and System logs. But not the new non-standard logs I have configured.

#   Version 6.1.3
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection)
forwardedindex.filter.disable = false

#   Version 6.1.3

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20 
readTimeout = 300
writeTimeout = 300 
useACK = false
blockWarnThreshold = 100


[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = oracle:9997

[tcpout-server://oracle:9997]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...